Help
FAQ
that may be helpful to you.
FAQ
Help
that may be helpful to you.
Penetration Testing FAQs
Have a question about penetration testing not covered here?
What is a penetration test?
A Penetration Test (also known as ethical hacking or a pen test) is an authorised hacking attempt, targeting your organisation’s IT network infrastructure, applications and employees.
The purpose of the test is to strengthen your organisation’s security defences by identifying areas that are susceptible to compromise (vulnerable) and advising on remediation.
when is penetration testing required?
Outside of meeting a specific compliance requirement, penetration tests should be performed at least annually, or more frequently for organisations with a high-risk profile.
How long does a penetration test take?
There is no standard answer for the time it takes to conduct a penetration test, as it depends on the objectives, approach, and the size and complexity of the environment (attack surface) to be tested – the scope of the work to be undertaken.
An app or small environment can be completed in a few days, but a large, complex environment can take weeks.How much does a penetration test cost ?
There is no universal price for a penetration test.
A good quality penetration tester will provide a consultation to understand your organisation’s aims and objectives and determine a high-level threat model (to understand the full scope of work) before they provide a quote.
what is a penetration test report?
A penetration test report lists the identified vulnerabilities and exploits, categorised according to risk level and recommendations for remediation based on key insights into the cyber-threat landscape.
A good-quality penetration tester will also conduct debriefing sessions targeting two separate audiences:
- A technical debriefing aimed at system administrators and engineers. The technical briefing is intended for knowledge transfer – of the lessons learned during the penetration test – to the IT security team.
- An executive debriefing tailored for the technology management group. This session provides the information needed to determine the appropriate risk management strategy.
How often should penetration testing be done?
Including regular penetration testing in your ongoing cyber security and information security management program is the best approach.
Compliance requirements mandate regular penetration testing – for example, PCI DSS compliance requires penetration testing at least annually or during infrastructure and application modifications and upgrades that significantly change the environment.
Unfortunately, many organisations aim to meet only the minimum requirements of penetration testing to achieve compliance – and believe themselves to be secure. This is a dangerous mindset.
As the threat landscape is ever-evolving, your cyber security company will be your best point of contact to advise on the frequency and level of compliance required to meet your organisation’s specific risk profile and cyber security needs.
Web Application Assessments FAQs
What is a Web Application Assessment?
A Web Application Assessment is a security evaluation of your web-based applications using both manual and automated techniques. The aim is to identify vulnerabilities such as SQL injection, XSS, CSRF, and authentication flaws.
It helps secure your applications by detecting exploitable weaknesses and providing prioritised recommendations for remediation.
When should Web Application Assessments be performed?
Web application assessments should be conducted before launching a new app, after major updates, or at least annually as part of ongoing security governance.
How long does a Web Application Assessment take?
Depending on the complexity of the application, a typical assessment can take anywhere from 3 to 10 business days.
What does the assessment include?
The assessment includes vulnerability detection, business logic testing, session management evaluation, and secure coding validation — culminating in a comprehensive risk-based report.
Cloud and Code Review FAQs
What is a Cloud and Code Review?
This assessment involves auditing your cloud environments (e.g., AWS, Azure, GCP) and application source code to identify misconfigurations, insecure practices, and hidden security threats.
Why is it important to review cloud configurations and code?
Misconfigured cloud resources and insecure code are among the leading causes of data breaches. Regular reviews help ensure secure deployment and compliance with industry standards.
How long does a Cloud and Code Review take?
Timeframes vary based on codebase size and cloud complexity but typically range from 5 to 15 business days.
What does the final report include?
You receive a detailed list of findings, risk levels, and clear, developer-friendly remediation guidance.
External Attack Surface Discovery FAQs
What is External Attack Surface Discovery?
This is the process of identifying all your publicly exposed assets and digital entry points— websites, IPs, APIs, cloud storage, and more—that could be targeted by attackers.
Why is this service important?
Organisations often have unmanaged or forgotten assets that pose a high risk. Identifying and managing these proactively reduces the likelihood of exploitation.
When should you perform Attack Surface Discovery?
It is recommended to conduct this quarterly or whenever major infrastructure changes occur.
What deliverables are provided?
A detailed map of your external assets, identified vulnerabilities, and actionable steps to strengthen your external security perimeter.
API and Mobile Testing FAQs
What is API and Mobile Security Testing?
This service evaluates the security of APIs and mobile applications to detect flaws in authentication, authorisation, data handling, and logic flows.
Why test APIs and mobile apps?
APIs and mobile apps are frequently targeted due to improper security controls. Testing ensures these endpoints do not expose sensitive data or functionalities.
How long does testing take?
Depending on scope, it typically takes 4–8 business days.
What does the testing cover?
We cover authentication, session management, data storage, inter-app communication, and transport layer security, aligning with OWASP standards.
Mobile App Penetration Tests FAQs
What is a Mobile App Penetration Test?
This simulates real-world attacks on your mobile applications (iOS and Android) to identify security weaknesses in both the client-side app and backend APIs.
When should mobile apps be tested?
Before launch, after major updates, or annually as part of your secure SDLC.
What types of vulnerabilities are tested?
We assess insecure data storage, weak encryption, broken authentication, code tampering, and reverse engineering risks.
What is included in the report?
Our report provides detailed vulnerability findings, exploit scenarios, and actionable remediation steps.
External Vulnerability Testing FAQs
What is External Vulnerability Testing?
This service scans and evaluates your internet-facing systems for known vulnerabilities and misconfigurations that could be exploited by attackers.
How is this different from a penetration test?
While a penetration test attempts to exploit vulnerabilities, external vulnerability testing focuses on identifying and reporting them without exploitation.
How often should it be done?
At least quarterly, or monthly for high-risk environments, and after significant system changes.
What does the test cover?
The test includes port scanning, service enumeration, and vulnerability identification across your public IP space.